“Top 20 Critical Security Controls” began in 2008 as an effort by U.S. and international agencies, including our own NSA, which has been the subject of so much media attention recently. Eventually, recommendations for what became the “Critical Security Controls” (Controls) were coordinated through SANS Institute. In 2013, the stewardship and sustainment of the controls was transferred to the Council on CyberSecurity (the Council), an independent, global non-profit entity committed to a secure and open internet.
At the RSA Conference last week, the Council officially unveiled Version 5.0, the latest iteration of these Controls. These controls were selected by consensus by top security professionals as the priority security controls with a strong emphasis on “What Works” – that is, controls that have demonstrated real world effectiveness. The idea is to prioritize a much broader set of controls, such as those defined by NIST SP 800-53. The idea is that a smaller, “must do first” list of controls are easier to implement and will generate a high return.
The question is – how does this list compare with the 42 controls mandated by HIPAA? Our Top 20 Security Controls 42 HIPAA Controls Crosswalk answers that question.
Please note that the details of controls specified by the Council in most cases are not 100% equivalent to the HIPAA control.
This analysis supports our assertion that HIPAA regulations omit many of the controls that experts believe are the most important controls for cyber security. In other words, “Compliance does not equal Security.” Hospitals and physicians who diligently follow the HIPAA regulations may fail to implement some of the most important controls necessary for security.
There are several take-aways:
- Organizations regulated by HIPAA, with a duty to protect patient information (PHI), need to look beyond the HIPAA regulations for security safeguards. An effective meaningful use risk analysis will identify these controls.
- Compliance remains important. The HIPAA regulations are the law of the land, and organizations need also to monitor and maintain compliance with HIPAA.
Eagle Consulting Partners offers assistance both with security and compliance.
